Severity: moderate
Affected versions:
- Apache Camel (org.apache.camel:camel-cxf-soap) 4.0.0 before 4.14.8
- Apache Camel (org.apache.camel:camel-cxf-soap) 4.15.0 before 4.18.3
- Apache Camel (org.apache.camel:camel-cxf-soap) 4.19.0 before 4.21.0
Description:
Improper Input Validation, Unintended Proxy or Intermediary ('Confused Deputy')
vulnerability in Apache Camel CXF SOAP component.
The camel-cxf producer selects which SOAP operation to invoke on the backend
service from the operationName (and operationNamespace) Exchange header, whose
constant values (CxfConstants.OPERATION_NAME / OPERATION_NAMESPACE) were the
plain strings operationName / operationNamespace. Because these names do not
start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks
only the Camel header namespace on the HTTP boundary - let them pass from an
inbound HTTP request straight into the Exchange. In a route that bridges an
HTTP consumer (for example platform-http) into a cxf: producer, any HTTP client
could therefore set the operationName header and have CxfProducer resolve and
invoke a different WSDL operation than the route intended - for example
replacing a read operation with a destructive one - against the backend SOAP
service (a confused-deputy redirection). The constant is defined in the shared
camel-cxf-common module, so the same non-prefixed names also applied to
camel-cxfrs. No credentials are required when the bridging consumer is
unauthenticated.
This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before
4.18.3, from 4.19.0 before 4.21.0.
Users are recommended to upgrade to version 4.21.0, which fixes the issue. If
users are on the 4.14.x LTS releases stream, then they are suggested to upgrade
to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested
to upgrade to 4.18.3. After upgrading, the operation-selection headers are
named CamelCxfOperationName / CamelCxfOperationNamespace and are filtered at
transport boundaries; see the 4.21 upgrade guide for the cross-transport
carrier-header pattern. For deployments that cannot upgrade immediately, do not
select the CXF operation from untrusted input: strip the operationName and
operationNamespace headers from any untrusted ingress before the cxf: producer
and set the operation from a trusted source in the route.
Credit:
Yu Bao from Paypal (finder)
Andrea Cosentino (remediation developer)
References:
https://camel.apache.org/security/CVE-2026-46592.html
https://camel.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-46592